What Every U.S. Employer Should Know About Workplace Privacy

The Security Rule imposes obligations on covered entities to ensure the confidentiality, integrity, and availability of all electronic PHI that the covered entity creates, receives, maintains, or transmits. Pursuant to the Security Rule, a covered entity is required to conduct a risk assessment of the potential risks and vulnerabilities to the confidentiality of electronic PHI held by the covered entity and to implement a risk management program to reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Covered entities must have in place certain specified administrative, physical, and technical safeguards to protect the electronic PHI they maintain. Covered entities are required to adopt written policies and procedures regarding how these administrative, physical, and technical safeguards will be implemented.

The fundamental purpose of the Privacy Rule and the Security Rule is to preserve and safeguard PHI. Because plan sponsors often perform functions that are integral to the functions of group health plans and thus require access to an individual's health information held by the group health plan, the Privacy Rule restricts the flow of information from the group health plan to the employer plan sponsor. Under the Privacy Rule, a group health plan may disclose PHI to its plan sponsor only for limited purposes and only after the plan sponsor has complied with the Rule's prescribed requirements for disclosure. The principal purpose of this regulatory barrier between a 'group health plan' and an employer plan sponsor is to prevent employers from using their employees' PHI to make employment-related decisions. It is worth noting, however, that the Privacy Rule exempts from the definition of PHI, employment records held by a covered entity in its role as employer. Pursuant to this exemption, to the extent that an employer in its capacity other than as plan sponsor collects and maintains health information regarding its employees, HIPAA would not apply.

To determine the impact of the Privacy Rule, an organization must examine: 1) the type of health information the plan sponsor receives; 2) the purposes for which the plan sponsor receives information; and 3) the extent, if any, to which the plan sponsor performs administrative functions on behalf of the group health plan.

The Privacy Rule defines a plan sponsor's responsibilities based on whether the plan sponsor receives 'protected health information' or 'summary health information.' A plan sponsor that receives summary health information ' that is, information that is a subset of PHI that summarizes claims history, expense, or experience and is stripped of certain personal identifiers ' is minimally impacted by the Privacy Rule. A plan sponsor that needs only summary health information to effectively manage its health benefits program may receive the information if it agrees to limit its use of the information to: 1) obtaining premium bids for providing health insurance coverage to the group health plan; or 2) modifying, amending, or terminating the group health plan.

On the other hand, a plan sponsor that receives PHI is subject to increased operational and administrative burdens. Plan sponsors typically may receive PHI either from the group health plan itself or from another entity (such as an insurer) that administers the company's health benefits program. Before a plan sponsor may receive PHI, the group health plan or the insurer acting on behalf of the plan must get assurance in the form of a 'certification' that the plan sponsor has complied with the new regulatory requirements.

A plan sponsor must certify to the group health plan that it has amended the plan documents to incorporate various provisions. Unless disclosing PHI for enrollment purposes, the plan documents need to be amended before the sponsor may receive PHI. The plan sponsor must agree to:

• not use or further disclose PHI ex-cept as permitted or required by the plan documents or as required by law;
• ensure that any subcontractors or agents to whom the plan sponsor provides PHI agree to the same restrictions;
• not use or disclose PHI for employment-related actions or in connection with any other benefit or employee benefit plan of the plan sponsor;
• report to the group health plan any use or disclosure that is inconsistent with those provided for in the plan documents;
• allow individuals to inspect and copy PHI about themselves;
• allow individuals to amend PHI about themselves;
• provide individuals with an accounting of disclosures of their PHI;
• make the plan sponsor's practices available to the Department of Health and Human Services (HHS) for determining compliance;
• return and destroy all PHI when no longer needed, if feasible; and
• ensure that firewalls for records and employees have been established between the group health plan and the plan sponsor.

In addition, the plan documents must identify, either by name or function, any employee of the plan sponsor who receives PHI for payment, health care operations, or other matters related to the group health plan. The plan documents also must restrict access to and use of PHI to specific, identified employees for the purpose of completing the administrative functions the plan sponsor performs for the group health plan. Finally, the plan documents must provide an effective mechanism for resolving issues of improper use of or access to PHI. The health insurance issuer or other group health plan may disclose PHI to the plan sponsor only after it receives the plan sponsor's certification indicating that the plan documents were amended.

Disclosure of PHI in violation of HIPAA can result in steep civil and criminal penalties (up to $250,000 in fines and 10 years of imprisonment). Consequently, employers who act as plan sponsors must carefully assess their compliance with HIPAA's Privacy Rule and Security Rule.

HIPAA establishes a basic level of protection for health information. State laws relating to the privacy of health information are not pre-empted by HIPAA if they offer more stringent protections. Employers should consider relevant state laws on a case-by-case basis as specific issues arise.

Information Security

Security Breach Notification

Laws

The recent increase in identity theft crimes resulted in the enactment of numerous state security breach notification laws. These laws generally do not distinguish between consumers and employees. Consequently, em-ployers would be required to comply with these laws in the event that unauthorized individuals acquire certain employee personal information. A security breach occurs when an unauthorized person acquires or accesses personal information maintained by a company. It is not a breach when an employee or company agent acquires or accesses the data for company purposes as long as the data is not used or disclosed in an unauthorized manner.

Although these laws differ somewhat, generally an entity that maintains 'personal information' about individuals needs to notify those individuals of certain security breaches involving computerized data. Specifically, entities are required to notify those whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. 'Personal information' typically means unencrypted data consisting of a person's first name or first initial and last name, in combination with a Social Security number; a driver's license or ID card number; or an account, credit card, or debit card number along with a password or access code. Entities subject to these laws must notify individuals immediately following discovery of a breach if an unauthorized person may have acquired unencrypted electronic personal information.

To date, 29 states have enacted security breach notification laws. Most of these state laws differ at least to some extent. Employers are well advised to determine whether the state in which they operate has a security breach notification law and to comply with such state's specific requirements in the event of a security breach.

Safeguarding Personal

Information

Considering the tremendous cost to businesses that suffer security breaches, employers are well advised to develop and implement a plan to safeguard the personal information that they maintain. Such a plan should be appropriate to the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the information it maintains. While there are a handful of basic elements listed below that every safeguards plan should address, businesses have the flexibility to implement policies, procedures, and technologies that are appropriate to their unique circumstances.

Designate one or more employees to coordinate a safeguards program.

Whether an organization tasks a single employee with coordinating safeguards or spreads the responsibility among a team of employees, someone in the organization needs to be accountable for information security. In deciding who it should be, employers should recognize that information security is fundamentally a management issue, not a technology issue. While information technology can play a significant role in protecting data, effective information security requires a broader focus and should include physical security, employee training and management, and business processes. In addition, an appropriate safeguards program will almost certainly require the coordination of legal, human resources, information technology, audit, and business functions. The person or team that coordinates the program should have the ability to communicate and work effectively with all of these different groups.

Identify and assess the risks to individuals' personal information in each relevant area of the company's operations and evaluate the effectiveness of current safeguards for controlling these risks.

To conduct a risk assessment, an employer will need to identify the information that is being protected and the related risks to that information. In particular, an employer should focus on protecting individuals' personal information in addition to the company's business information and operations. To begin, an employer should identify the personal information that it actually collects, how the employer uses it, where it is stored, to whom it is disclosed, who has access to it for what purposes, and how it will ultimately be disposed. The employer should map these data flows and classify data by sensitivity so security measures can be prioritized.

Next, an employer should consider all the ways that personal information can be compromised. While an employer should obviously consider intrusions by computer hackers, em-ployers should also think about ways that employees, service providers, business partners, or vendors could compromise the security of personal in-formation either intentionally or through carelessness. Employers should take into account risks beyond those associated with information technology and consider business processes as well. It is advisable to have the risk assessment process be conducted by a team that includes both technical and business personnel because of their different perspectives on the likelihood and impact of threats.

Once the risks are identified, a gap analysis is necessary to evaluate where current safeguards are inadequate to address the identified risks. Employers should consider the likelihood that a given risk will occur and the severity of the consequences should it happen. Employers should also consider the effectiveness of the various available security measures and their cost, relative to the harm caused by a compromise.

Employers should recognize the full range of potential costs in the event of a security breach: the cost of investigating a security breach; mitigating and remediating damage to systems, and securing the systems after the breach; lost sales or productivity caused by the unavailability of systems or data; notifying affected individuals and government agencies, as appropriate; re-sponding to regulator inquiries and enforcement actions; legal fees and costs for the defense of private lawsuits; lost customers; reputational damage; and a possible drop in stock price. The harm caused by a compromise should be defined more broadly than just the resulting financial costs.

Design and implement a safeguards program, and regularly monitor and test it. In designing a safeguards program, employers should consider all areas of operations, such as employee management and training; information systems; and managing system failures, which encompasses prevention, detection and response to attacks, intrusions, and other system failures. The goal is to create security policies and procedures that are more than mere paper and will actually be followed in day-to-day business operations. Employers should monitor and test each of the elements of their program to reveal whether it is being followed consistently and whether it is operating effectively to manage the risks to personal information that it was designed to address.

Select appropriate service providers and contract with them to implement safeguards. When service providers or other third parties have access to data or information systems, steps should be taken to determine whether they can be trusted not to compromise information security and to ensure that they are contractually required to meet specified safeguards standards.

When conducting due diligence on third-party service providers, em-ployers should review an independent audit of the third party's operations; obtain information about the third party from several references or other reliable sources; require that the third party be certified by a recognized trade association or similar authority; review and evaluate the service provider's information security policies and procedures; and take other appropriate measures to determine the competency and integrity of the party. Contracts with third parties should specifically address safeguards obligations; a general confidentiality provision is not sufficient. Employers should also require third parties to notify them of significant security incidents (so the employer can determine whether it has any legal obligations to provide notice to individuals of a possible data compromise) and to cooperate in responding to security incidents and investigating data breaches. In addition, an employer may want to ask for the right to audit a third party's safeguards program for compliance with legal and contractual requirements.

Evaluate and adjust the safeguards program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring.

Security is an ongoing process, not a static condition. Employers need to evaluate and adjust their safeguards program at regular intervals and respond to results obtained through testing and monitoring the program. A safeguards program also will require changes to keep up with technology, business practice, and personnel. Employers should remain vigilant about new or emerging threats to information security and changes in the legal and regulatory environment.

Next month, we discuss telephone, e-mail and Internet use, Security breach, and safeguarding personal information.

Lisa J. Sotto is a partner in the New York office of Hunton & Williams LLP and heads the firm's Privacy and Information Management Practice. She also serves as Acting Chair of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Elisabeth M. McCarthy is counsel in the New York office of Hunton & Williams LLP and advises clients on privacy and information management issues.

HIPAA

Through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress called on the U.S. Department of Health and Human Services (HHS) to promulgate regulations that would help ensure the privacy and security of health information. The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and the Security Standards (the Security Rule) promulgated pursuant to HIPAA apply to 'covered entities' and limit the ability of such entities to use or disclose protected health information (PHI). The Privacy Rule defines a 'covered entity' as a health plan, health care clearinghouse, or health care provider who transmits health information in electronic form in connection with certain specified transactions. While the Privacy Rule and the Security Rule do not directly apply to employers, the requirements of these rules do apply to ERISA-covered 'group health plans' that are sponsored by many employers.

The Privacy Rule prohibits covered entities from disclosing PHI except where disclosure is: 1) to the individual who is the subject of the PHI; 2) for treatment, payment, or health care operations as defined in the Privacy Rule; 3) authorized by the individual; or 4) specifically permitted without authorization by the individual. The Privacy Rule requires covered entities to adopt written policies and procedures regarding the use and disclosure of PHI that are designed to comply with the Privacy Rule.

The Security Rule imposes obligations on covered entities to ensure the confidentiality, integrity, and availability of all electronic PHI that the covered entity creates, receives, maintains, or transmits. Pursuant to the Security Rule, a covered entity is required to conduct a risk assessment of the potential risks and vulnerabilities to the confidentiality of electronic PHI held by the covered entity and to implement a risk management program to reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Covered entities must have in place certain specified administrative, physical, and technical safeguards to protect the electronic PHI they maintain. Covered entities are required to adopt written policies and procedures regarding how these administrative, physical, and technical safeguards will be implemented.

The fundamental purpose of the Privacy Rule and the Security Rule is to preserve and safeguard PHI. Because plan sponsors often perform functions that are integral to the functions of group health plans and thus require access to an individual's health information held by the group health plan, the Privacy Rule restricts the flow of information from the group health plan to the employer plan sponsor. Under the Privacy Rule, a group health plan may disclose PHI to its plan sponsor only for limited purposes and only after the plan sponsor has complied with the Rule's prescribed requirements for disclosure. The principal purpose of this regulatory barrier between a 'group health plan' and an employer plan sponsor is to prevent employers from using their employees' PHI to make employment-related decisions. It is worth noting, however, that the Privacy Rule exempts from the definition of PHI, employment records held by a covered entity in its role as employer. Pursuant to this exemption, to the extent that an employer in its capacity other than as plan sponsor collects and maintains health information regarding its employees, HIPAA would not apply.

To determine the impact of the Privacy Rule, an organization must examine: 1) the type of health information the plan sponsor receives; 2) the purposes for which the plan sponsor receives information; and 3) the extent, if any, to which the plan sponsor performs administrative functions on behalf of the group health plan.

The Privacy Rule defines a plan sponsor's responsibilities based on whether the plan sponsor receives 'protected health information' or 'summary health information.' A plan sponsor that receives summary health information ' that is, information that is a subset of PHI that summarizes claims history, expense, or experience and is stripped of certain personal identifiers ' is minimally impacted by the Privacy Rule. A plan sponsor that needs only summary health information to effectively manage its health benefits program may receive the information if it agrees to limit its use of the information to: 1) obtaining premium bids for providing health insurance coverage to the group health plan; or 2) modifying, amending, or terminating the group health plan.

On the other hand, a plan sponsor that receives PHI is subject to increased operational and administrative burdens. Plan sponsors typically may receive PHI either from the group health plan itself or from another entity (such as an insurer) that administers the company's health benefits program. Before a plan sponsor may receive PHI, the group health plan or the insurer acting on behalf of the plan must get assurance in the form of a 'certification' that the plan sponsor has complied with the new regulatory requirements.

A plan sponsor must certify to the group health plan that it has amended the plan documents to incorporate various provisions. Unless disclosing PHI for enrollment purposes, the plan documents need to be amended before the sponsor may receive PHI. The plan sponsor must agree to:

• not use or further disclose PHI ex-cept as permitted or required by the plan documents or as required by law;
• ensure that any subcontractors or agents to whom the plan sponsor provides PHI agree to the same restrictions;
• not use or disclose PHI for employment-related actions or in connection with any other benefit or employee benefit plan of the plan sponsor;
• report to the group health plan any use or disclosure that is inconsistent with those provided for in the plan documents;
• allow individuals to inspect and copy PHI about themselves;
• allow individuals to amend PHI about themselves;
• provide individuals with an accounting of disclosures of their PHI;
• make the plan sponsor's practices available to the Department of Health and Human Services (HHS) for determining compliance;
• return and destroy all PHI when no longer needed, if feasible; and
• ensure that firewalls for records and employees have been established between the group health plan and the plan sponsor.

In addition, the plan documents must identify, either by name or function, any employee of the plan sponsor who receives PHI for payment, health care operations, or other matters related to the group health plan. The plan documents also must restrict access to and use of PHI to specific, identified employees for the purpose of completing the administrative functions the plan sponsor performs for the group health plan. Finally, the plan documents must provide an effective mechanism for resolving issues of improper use of or access to PHI. The health insurance issuer or other group health plan may disclose PHI to the plan sponsor only after it receives the plan sponsor's certification indicating that the plan documents were amended.

Disclosure of PHI in violation of HIPAA can result in steep civil and criminal penalties (up to $250,000 in fines and 10 years of imprisonment). Consequently, employers who act as plan sponsors must carefully assess their compliance with HIPAA's Privacy Rule and Security Rule.

HIPAA establishes a basic level of protection for health information. State laws relating to the privacy of health information are not pre-empted by HIPAA if they offer more stringent protections. Employers should consider relevant state laws on a case-by-case basis as specific issues arise.

Information Security

Security Breach Notification

Laws

The recent increase in identity theft crimes resulted in the enactment of numerous state security breach notification laws. These laws generally do not distinguish between consumers and employees. Consequently, em-ployers would be required to comply with these laws in the event that unauthorized individuals acquire certain employee personal information. A security breach occurs when an unauthorized person acquires or accesses personal information maintained by a company. It is not a breach when an employee or company agent acquires or accesses the data for company purposes as long as the data is not used or disclosed in an unauthorized manner.

Although these laws differ somewhat, generally an entity that maintains 'personal information' about individuals needs to notify those individuals of certain security breaches involving computerized data. Specifically, entities are required to notify those whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. 'Personal information' typically means unencrypted data consisting of a person's first name or first initial and last name, in combination with a Social Security number; a driver's license or ID card number; or an account, credit card, or debit card number along with a password or access code. Entities subject to these laws must notify individuals immediately following discovery of a breach if an unauthorized person may have acquired unencrypted electronic personal information.

To date, 29 states have enacted security breach notification laws. Most of these state laws differ at least to some extent. Employers are well advised to determine whether the state in which they operate has a security breach notification law and to comply with such state's specific requirements in the event of a security breach.

Safeguarding Personal

Information

Considering the tremendous cost to businesses that suffer security breaches, employers are well advised to develop and implement a plan to safeguard the personal information that they maintain. Such a plan should be appropriate to the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the information it maintains. While there are a handful of basic elements listed below that every safeguards plan should address, businesses have the flexibility to implement policies, procedures, and technologies that are appropriate to their unique circumstances.

Designate one or more employees to coordinate a safeguards program.

Whether an organization tasks a single employee with coordinating safeguards or spreads the responsibility among a team of employees, someone in the organization needs to be accountable for information security. In deciding who it should be, employers should recognize that information security is fundamentally a management issue, not a technology issue. While information technology can play a significant role in protecting data, effective information security requires a broader focus and should include physical security, employee training and management, and business processes. In addition, an appropriate safeguards program will almost certainly require the coordination of legal, human resources, information technology, audit, and business functions. The person or team that coordinates the program should have the ability to communicate and work effectively with all of these different groups.

Identify and assess the risks to individuals' personal information in each relevant area of the company's operations and evaluate the effectiveness of current safeguards for controlling these risks.

To conduct a risk assessment, an employer will need to identify the information that is being protected and the related risks to that information. In particular, an employer should focus on protecting individuals' personal information in addition to the company's business information and operations. To begin, an employer should identify the personal information that it actually collects, how the employer uses it, where it is stored, to whom it is disclosed, who has access to it for what purposes, and how it will ultimately be disposed. The employer should map these data flows and classify data by sensitivity so security measures can be prioritized.

Next, an employer should consider all the ways that personal information can be compromised. While an employer should obviously consider intrusions by computer hackers, em-ployers should also think about ways that employees, service providers, business partners, or vendors could compromise the security of personal in-formation either intentionally or through carelessness. Employers should take into account risks beyond those associated with information technology and consider business processes as well. It is advisable to have the risk assessment process be conducted by a team that includes both technical and business personnel because of their different perspectives on the likelihood and impact of threats.

Once the risks are identified, a gap analysis is necessary to evaluate where current safeguards are inadequate to address the identified risks. Employers should consider the likelihood that a given risk will occur and the severity of the consequences should it happen. Employers should also consider the effectiveness of the various available security measures and their cost, relative to the harm caused by a compromise.

Employers should recognize the full range of potential costs in the event of a security breach: the cost of investigating a security breach; mitigating and remediating damage to systems, and securing the systems after the breach; lost sales or productivity caused by the unavailability of systems or data; notifying affected individuals and government agencies, as appropriate; re-sponding to regulator inquiries and enforcement actions; legal fees and costs for the defense of private lawsuits; lost customers; reputational damage; and a possible drop in stock price. The harm caused by a compromise should be defined more broadly than just the resulting financial costs.

Design and implement a safeguards program, and regularly monitor and test it. In designing a safeguards program, employers should consider all areas of operations, such as employee management and training; information systems; and managing system failures, which encompasses prevention, detection and response to attacks, intrusions, and other system failures. The goal is to create security policies and procedures that are more than mere paper and will actually be followed in day-to-day business operations. Employers should monitor and test each of the elements of their program to reveal whether it is being followed consistently and whether it is operating effectively to manage the risks to personal information that it was designed to address.

Select appropriate service providers and contract with them to implement safeguards. When service providers or other third parties have access to data or information systems, steps should be taken to determine whether they can be trusted not to compromise information security and to ensure that they are contractually required to meet specified safeguards standards.

When conducting due diligence on third-party service providers, em-ployers should review an independent audit of the third party's operations; obtain information about the third party from several references or other reliable sources; require that the third party be certified by a recognized trade association or similar authority; review and evaluate the service provider's information security policies and procedures; and take other appropriate measures to determine the competency and integrity of the party. Contracts with third parties should specifically address safeguards obligations; a general confidentiality provision is not sufficient. Employers should also require third parties to notify them of significant security incidents (so the employer can determine whether it has any legal obligations to provide notice to individuals of a possible data compromise) and to cooperate in responding to security incidents and investigating data breaches. In addition, an employer may want to ask for the right to audit a third party's safeguards program for compliance with legal and contractual requirements.

Evaluate and adjust the safeguards program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring.

Security is an ongoing process, not a static condition. Employers need to evaluate and adjust their safeguards program at regular intervals and respond to results obtained through testing and monitoring the program. A safeguards program also will require changes to keep up with technology, business practice, and personnel. Employers should remain vigilant about new or emerging threats to information security and changes in the legal and regulatory environment.

Next month, we discuss telephone, e-mail and Internet use, Security breach, and safeguarding personal information.

Lisa J. Sotto is a partner in the New York office of Hunton & Williams LLP and heads the firm's Privacy and Information Management Practice. She also serves as Acting Chair of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Elisabeth M. McCarthy is counsel in the New York office of Hunton & Williams LLP and advises clients on privacy and information management issues.